Blogger Breaks Android Face Recognition with... a Picture?

There's always a scene in your average spy action movie thriller that goes a little something like this: The protagonist somehow ends up with a recording of a person's voice (or in gutsier movies, a copy of their fingerprint and/or eyeball), which said super-spy then uses to gain access to a voice-, fingerprint-, or retina-locked room. Valuables and information critical to the plot: pilfered.

One of the new features in the latest iteration of Google's mobile OS, Android 4.0 (codename: Ice Cream Sandwich), is the ability to unlock one's phone using one's noggin. In other words, your phone the Samsung Galaxy Nexus, to use the market's only example at the moment  uses its front-facing camera to take a gander at your face. If it recognizes you, the phone automatically unlocks without need for a PIN code or some kind of graphical unlocking mechanism.

Neat, huh?

Of course, facial recognition isn't without its pitfalls  the technology just plain didn't work when demonstrated during the Galaxy Nexus announcement this past October. But what happens when facial recognition works too well? Or, to put it another way, what happens when the phone recognizes a face, but the face isn't a living, breathing user holding said phone?

That's the question posed by a blogger over at Soyaincau.com, who has allegedly been able to fool Android's facial recognition system by holding up a picture of himself to a Galaxy Nexus. And it's wasn't even a printed picture of his face: The blogger took a snapshot of himself using a different phone, and then held that phone's screen up to the front-facing camera on the Galaxy Nexus. And that, allegedly, is all it took to unlock the Nexus.

"What's even more important is clarifying to everyone that the test  and the video  is not a trick. Some believed that we had programmed the Galaxy Note to recognise the picture and not the face. We must stress that this is not the case," wrote Soyaincau blogger "CC." "The Galaxy Nexus in the video was the exact same unit we used to do our hands-on video where we originally set up the device to recognise a face and not a picture of a face."

To Google's credit, however, Android does indicate that facial recognition unlocking is "less secure than a pattern, PIN, or password" when a user goes to set up the feature. That said, amateur spy enthusiasts are likely rubbing their hands together at the notion that a picture of their friends' faces could be all they need to gain access to a treasure trove of smartphone data.

David Murphy got his first real taste of technology journalism when he arrived at PC Magazine as an intern in 2005. A three-month gig turned to six months, six months turned to occasional freelance assignments, and he has since rejoined his tech-loving, mostly New York-based friends as one of PCMag.com's news contributors.
His rise to (self-described) fame in the world of tech journalism began during his stint as an associate editor at Maximum PC, where his love of cardboard-based PC construction and meetings put him in...
More »